From 5b1add9a4c4ed046b52cf2132ed0f264a22caf1d Mon Sep 17 00:00:00 2001 From: Brian Demers Date: Tue, 29 Sep 2020 17:59:29 -0400 Subject: [PATCH] Disable jsessionid URL rewriting by default This matches the default of the InvalidRequestFilter Fixes: SHIRO-795 --- .../spring/web/config/AbstractShiroWebConfiguration.java | 2 +- .../shiro/web/session/mgt/DefaultWebSessionManager.java | 2 +- .../web/session/mgt/DefaultWebSessionManagerTest.groovy | 5 ++++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java b/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java index 5ed98d8b67..fab145f8c4 100644 --- a/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java +++ b/support/spring/src/main/java/org/apache/shiro/spring/web/config/AbstractShiroWebConfiguration.java @@ -43,7 +43,7 @@ public class AbstractShiroWebConfiguration extends AbstractShiroConfiguration { @Value("#{ @environment['shiro.sessionManager.sessionIdCookieEnabled'] ?: true }") protected boolean sessionIdCookieEnabled; - @Value("#{ @environment['shiro.sessionManager.sessionIdUrlRewritingEnabled'] ?: true }") + @Value("#{ @environment['shiro.sessionManager.sessionIdUrlRewritingEnabled'] ?: false }") protected boolean sessionIdUrlRewritingEnabled; @Value("#{ @environment['shiro.userNativeSessionManager'] ?: false }") diff --git a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java index eb7eda1f40..9aa275a964 100644 --- a/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java +++ b/web/src/main/java/org/apache/shiro/web/session/mgt/DefaultWebSessionManager.java @@ -58,7 +58,7 @@ public DefaultWebSessionManager() { cookie.setHttpOnly(true); //more secure, protects against XSS attacks this.sessionIdCookie = cookie; this.sessionIdCookieEnabled = true; - this.sessionIdUrlRewritingEnabled = true; + this.sessionIdUrlRewritingEnabled = false; } public Cookie getSessionIdCookie() { diff --git a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy index 841569fc39..35b312043f 100644 --- a/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy +++ b/web/src/test/groovy/org/apache/shiro/web/session/mgt/DefaultWebSessionManagerTest.groovy @@ -127,7 +127,7 @@ public class DefaultWebSessionManagerTest { ShiroHttpServletRequest.COOKIE_SESSION_ID_SOURCE); request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id); request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE); - request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, Boolean.TRUE); + request.setAttribute(ShiroHttpServletRequest.SESSION_ID_URL_REWRITING_ENABLED, Boolean.FALSE); replay(cookie); replay(request); @@ -147,6 +147,7 @@ public class DefaultWebSessionManagerTest { Cookie cookie = createMock(Cookie.class); mgr.setSessionIdCookie(cookie); mgr.setSessionIdCookieEnabled(false); + mgr.setSessionIdUrlRewritingEnabled(true) //we should not have any reads from the cookie fields - if we do, this test case will fail. @@ -182,6 +183,7 @@ public class DefaultWebSessionManagerTest { Cookie cookie = createMock(Cookie.class); mgr.setSessionIdCookie(cookie); mgr.setSessionIdCookieEnabled(false); + mgr.setSessionIdUrlRewritingEnabled(true) //we should not have any reads from the cookie fields - if we do, this test case will fail. @@ -218,6 +220,7 @@ public class DefaultWebSessionManagerTest { public void testGetSessionIdFromRequestUriPathSegmentParam() { mgr.setSessionIdCookieEnabled(false); + mgr.setSessionIdUrlRewritingEnabled(true) HttpServletRequest request = createMock(HttpServletRequest.class); HttpServletResponse response = createMock(HttpServletResponse.class);